> You just accept any username, create a KDC entry for them, and give > them an empty password. Tada, authenticated.
Only the KDC admin can do this. Furthermore, users would need to remember a different username (and password, if they have any sense) for every cell. > the user now has this piece of magic data that they have to keep track of SSH users seem to be able to manage this quite easily. PGP as well. I also mentioned kx509 as an example of a partial solution: perhaps authentication is moving from kdc-as-trusted-omnipotent-diety to kdc-as-key-storage-facility. Specifically, kx509 changes the role of the KDC from issuing tickets to issuing "junk certificates". It's a way for organizations that have made major investments in Kerberos to escape the fundamental limitations of symmetric-only cryptosystems. This way users don't have to carry around their keys. Perhaps identity management can't be done perfectly, but it is already being done well enough to make the rest of this possible. The trick to avoid committing to a single approach (as with afs+krb4), but instead to provide the minimum interface that would allow them all. - a _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
